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Executive summary 


Russian Foreign Intelligence Service (SVR) actors (also known as APT29, Cozy Bear, and The Dukes) frequently use 
publicly known vulnerabilities to conduct widespread scanning and exploitation against vulnerable systems in an effort to 
obtain authentication credentials to allow further access. This targeting and exploitation encompasses U.S. and allied 
networks, including national security and government-related systems. 


Recent Russian SVR activities include compromising SolarWinds® Orion® software updates," targeting COVID-19 
research facilities through deploying WellMess malware,!! and leveraging a VMware® vulnerability that was a zero-day at 
the time for follow-on Security Assertion Markup Language (SAML) authentication abuse.'*! SVR cyber actors also used 
authentication abuse tactics following SolarWinds-based breaches." =! 


The SVR has exploited—and continues to successfully exploit—software vulnerabilities to gain initial footholds into victim 
devices and networks, to include: 


CVE-2018-13379 Fortinet! 
CVE-2019-9670 Zimbra®2! 
CVE-2019-11510 Pulse Secure®2! 
CVE-2019-19781 Citrix® 
CVE-2020-4006 VMware®! 


The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of 
Investigation (FBI) previously shared mitigations to defend against exploitation of these vulnerabilities. Knowing the 
tradecraft that nation-state cyber actors use along with relevant response actions will enable network defenders to focus 
on mitigating the vulnerabilities and techniques, enabling more comprehensive protection against adversary compromise. 
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Detailed vulnerabilities and mitigations 


NSA, CISA, and FBI are aware that United States Government, critical infrastructure (including Defense Industrial Base), 
and allied networks are consistently scanned, targeted, and exploited by Russian state-sponsored cyber actors. NSA, 
CISA, and FBI recommend that critical system owners prioritize the following mitigation actions to mitigate the loss of 
sensitive information that could impact U.S. policies, strategies, plans, ongoing operations, and competitive advantage. 
Additionally, due to the various systems and networks that could be impacted outside of these sectors, NSA, CISA, and 
FBI recommend that the following mitigations be prioritized for action by all network defenders. 


The techniques leveraged by SVR actors include’: 


Exploiting public-facing applications (111907) 
Leveraging external remote services (11133) 
Compromising supply chains (11195) 

Using valid accounts (11078) 

Exploiting software for credential access (11212) 
Forging web credentials: SAML tokens (1 1606.002) 


While some vulnerabilities have specific additional mitigations below, the following general mitigations apply: 


e Keep systems and products updated and patch as soon as possible after patches are released since many actors 
exploit numerous vulnerabilities.’ 


e Expect that the risk from data stolen or modified (including credentials, accounts, and software) before a device was 
patched will not be alleviated by patching or simple remediation actions. Assume that a breach will happen, enforce 
least-privileged access, and make password changes and account reviews a regular practice.* 


Disable external management capabilities and set up an out-of-band management network.° 

Block obsolete or unused protocols at the network edge and disable them in device configurations. °® 

Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce exposure of the internal network.’ 
Enable robust logging of Internet-facing services and authentication functions. Continuously hunt for signs of 
compromise or credential misuse, particularly within cloud environments.?® 

e Adopt a mindset that compromise happens: prepare for incident response activities, only communicate about 
breaches on out-of-band channels, and take care to uncover a breach’s full scope before remediating.’ 


The following is a list of specific Common Vulnerabilities and Exposures (CVEs) being actively exploited by SVR actors, a 
description of the vulnerability, and the recommended mitigations. 


CVE Number Vulnerability Description Prior Cybersecurity Guidance 


CVE-2018-13379 In Fortinet Secure Sockets Layer (SSL) Virtual Advisory: APT29 target COVID-19 vaccine 
Private Network (VPN) web portals, an Improper development (U/OO/152680-20) 
Limitation of a Pathname to a Restricted Directory viista recen VEN Yoinerbiliies 
("Path Traversal") allows an unauthenticated attacker wene O /OO/196888-19) 
to download system files via special crafted HTTP 
resource requests. 

Affects: Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 

CVE-2019-9670 In Synacor Zimbra Collaboration Suite, the mailboxd | Advisory: APT29 target COVID-19 vaccine 
component has an XML External Entity injection development (U/OO/152680-20) 


(XXE) vulnerability. 





Affects: Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10. 





1 Refer to CISA Alert: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations (AA20-352A) for more techniques. 
2 T1190 and similar references are MITRE® ATT&CK® techniques. 


3 Refer to Update and Upgrade Software Immediately (U/OO/181147-19). 

4 Refer to Defend Privileges and Accounts (U/OO/181857-19) and the “assume breach” principle of CSI — Embracing a Zero Trust Security Model (U/00/115131-21). 

5 Refer to Perform Out-of-Band Network Management (U/O0/169570-20). 

6 Refer to Hardening Network Devices (U/O0/171339-16), Outdated Software and Protocols (U/O0/802041-16), and Outdated Network Devices and Unsecured Protocols (U/O0/802587-16). 
7 Refer to Segment Networks and Deploy Application-Aware Defenses (U/O0/184967-19). 

8 Refer to CISA Alert Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments (AA21-008A). 

9 Refer to CISA Alert: Technical Approaches to Uncovering and Remediating Malicious Activity (AA20-245A). 
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CVE Number Vulnerability Description Prior Cybersecurity Guidance 
CVE-2019-11510 In Pulse Secure VPNs, an unauthenticated remote Advisory: APT29 target COVID-19 vaccine 
attacker can send a specially crafted Uniform development (U/OO/152680-20) 


iit gia Identifier (URI) to perform an arbitrary file Mitiaating Recent VPN Vulnerabilities 
fü (U/OO/196888-19) 
Affects: Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4. 


CVE-2019-19781 Citrix® Application Delivery Controller (ADC) and Advisory: APT29 target COVID-19 vaccine 
Gateway allow directory traversal. development (U/OO/152680-20) 
Detect and Prevent Web Shell Malware 
(U/OO/134094-20) 
Mitigate CVE-2019-19781 (U/OO/103100-20) 


Affects: Citrix ADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN 
WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b. 
CVE-2020-4006 VMware Workspace One Access, Access Connector, | Russian State-Sponsored Actors Exploiting 


Identity Manager, and Identity Manager Connector Vulnerability in VMware Workspace ONE Access 
have a command injection vulnerability. Using Compromised Credentials (U/OO/195076-20) 


Perform Out-of-Band Network Management 
(U/OO/169570-20) 


Affects: VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 - 3.3.3 on Linux, VMware Identity Manager 
Connector 3.3.1 - 3.3.3 and 19.03, VMware Cloud Foundation 4.0 - 4.1, and VMware Vrealize Suite Lifecycle Manager 8.x. 
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Disclaimer of endorsement 


The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific 
commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, 
recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes. 


Purpose 


This document was developed by NSA, CISA and FBI in furtherance of their respective cybersecurity missions, including their responsibilities to identify 
and disseminate information about threats to U.S. Government and critical infrastructure information systems, and to develop and issue cybersecurity 
specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders. 


Trademarks 


SolarWinds® and SolarWinds Orion® are registered trademark of SolarWinds Worldwide, LLC. e VMware®, VMware Workspace ONE®, VMware Identity 
Manager (vIDM)®, VMware Access®, VMware Cloud Foundation®, and VMware vRealize Suite Lifecycle Manager® are registered trademarks of VMware, 
Inc. * Fortinet® is a registered trademark of Fortinet, Inc. * Zimbra® is a registered trademark of Synacor, Inc. e Pulse Secure® is a registered trademark of 
Pulse Secure, LLC. ° Citrix® is a registered trademark of Citrix Systems, Inc. 
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e NSA Media Relations, 443-634-0721, MediaRelations@nsa.gov 

e CISA Media Relations, 703-235-2010, ClISAMedia@cisa.dhs.gov 

e FBI National Press Office, 202-324-3691, noo@fbi.gov 
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